Remote workers access rights - SBS 2008

Is it possible to configure Terminal Services within SBS2008, so a user who accesses a network server from the office where the physical network is located, but also remotely, has different access rights in each case?

The scenario I wish to implement is one where there would be areas of the server drives which they would not be able to access remotely, but would be able to when they are in the office.

I can't see how this can be done. Access is controlled by NTFS permissions and these are tied to the user SID.
You could create a second ID for remote access, but I can't see that going down well with the users.

Thanks for the reply, Paul. My IT guys says much the same thing, but I honestly can't imagine that I am the only company proprietor who feels uncomfortable letting a worker have access to the full drive and directories they can access when physically at work, from the comfort of their own home!

The argument goes that if the data / drives are sensitive, then why give permission to the worker to access these when in work?

I accept this, but I also think that there is a huge difference between accessing data in the workplace with colleagues / supervisors all around, to dialling in and downloading form the comfort of your home, with no-one around!

Surely the IT industry must have come across this dual-rights desire amongst other of their business customers....

We usually restrict what users can do via the remote connection, e.g. no downloading of documents, but it's actually easier to email them from work anyway.
If you need staff to work from home you could set up remote access to launch only the required application, but copy / paste still works so you haven't really gained much.
Welcome to the quandary that is secure remote access!

Neil, I do this for a living and there are no clever ideas that will fix the problem. If your users have access to network resources, it is impossible to restrict access when logging on via a particular machine unless that machine is not on the network.

The problem with that approach is that most people expect to be identified as a who they are and have privileges accordingly. They expect to be able to work & access data the same way no matter where they are. Certain restrictions on data downloading are acceptable security issues but if you restrict data access you predetermine their effectiveness away from the office.

If you need to control access and identity there are ways of doing that pretty effectively. But remember that as you ratchet up security it generally becomes much more expensive to implement and much more of a pain for the end user.

Sorry to be a killjoy, but as a disabled veteran whose personal i nformation was put at risk when VA employees took laptops home to do work, and then "lost" them, I'm not a fan of employees taking "company" stuff home with them. I'm aware that employers tend to like workaholics, but there comes a point where security has to trump productivity...
I don't usually comment in the Windows Secrets Lounge, but this isuue hits me where I live!
Dave

David Finster
United Church of Christ Minister, Retired
Member, International Conference of War Veteran Ministers
Chaplain and Life Member, Vietnam Veterans of America Chapter 933
Life Member, Disabled American veterans

The questions of permissions and access is one which IT managers can control, but the action of control then creates problems for end users that usually, in my experience, lead to the removal of the controls by management dictate. USB drives etc make data ditribution a nightmare for IT, as large numbers of users require a USB port ot sync portable devices. Limiting access to say Outlook web Interface is one option - so a user can have the work needed available in an email, and can then create and save work at the remote site to either bring in via a laptop, or send in via email.

lockout by ip

hi, can you logout by ip address? I'm not familiar with term service but does it have ability to figure out if the ip of the request client is not within the company's ip address range, it will just block the accessing of the data. Or give the user a different user name/account when they are using at home. eg: at work sign in as joe and home joe-home.

Originally Posted by neil

Is it possible to configure Terminal Services within SBS2008, so a user who accesses a network server from the office where the physical network is located, but also remotely, has different access rights in each case?

The scenario I wish to implement is one where there would be areas of the server drives which they would not be able to access remotely, but would be able to when they are in the office.

Ever hear of Results Only Work Enivronment (ROWE)? Program started at Best Buy Headquarters by Jody Thompson and Cali Ressler, now a book and a look at the future. Work from anywhere, at anytime. My department of 3000 people has fully implemented the program, results are great, workers happier, lives better balanced and no security breaches of any kind - we use Net Motion for mobile connectivity, instant messaging and email for communication, are developing video conferencing for meetings and more. It is a challenge for those of us of a certain age to adapt to the idea of people not in our sight line actually working, but using their protocols we established clear results for which staff are accountable. It is the way of the future, less investment in infrastructure, reduced congestion on our freeways, improved productivity and higher morale. And, I was never actually standing at my staff's desks to be sure they were working when they were mostly right outside my office. We've been at a year now. There are solutions out there for security and connectivity as well as productivity measures. People working from home is not going away from what I read, it continues to trend upward. The good news to that is there will be ever-increasing ideas about how to accomplish your objectives without compromising the security of your data. :^) gene